Merge pull request #54 from cloudgraphdev/feature/CG-1139

feat: Add AWS IAM Access analyzer service

Author: tyler-dunkel

README.md

@@ -117,6 +117,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | glueJob                     | iamRole                                                                                                                                                                                                                                                                                                                                                                       |
 | glueRegistry                |                                                                                                                                                                                                                                                                                                                                                                               |
 | guardDutyDetector           | iamRole                                                                                                                                                                                                                                                                                                                                                                       |
+| iamAccessAnalyzer |                                                                                                                                                                                                                                                                                                                                                                  |
 | iamInstanceProfile          | ec2, iamRole                                                                                                                                                                                                                                                                                                                                                                  |
 | iamPasswordPolicy           |                                                                                                                                                                                                                                                                                                                                                                               |
 | iamSamlProvider             | cognitoIdentityPool                                                                                                                                                                                                                                                                                                                                                           |

src/enums/schemasMap.ts

@@ -54,6 +54,7 @@ export default {
   [services.emrCluster]: 'awsEmrCluster',
   [services.emrInstance]: 'awsEmrInstance',
   [services.emrStep]: 'awsEmrStep',
+  [services.iamAccessAnalyzer]: 'awsIamAccessAnalyzer',
   [services.iamGroup]: 'awsIamGroup',
   [services.iamOpenIdConnectProvider]: 'awsIamOpenIdConnectProvider',
   [services.iamPasswordPolicy]: 'awsIamPasswordPolicy',

src/enums/serviceAliases.ts

@@ -36,6 +36,7 @@ export default {
   [services.glueJob]: 'glueJobs',
   [services.glueRegistry]: 'glueRegistries',
   [services.guardDutyDetector]: 'guardDutyDetectors',
+  [services.iamAccessAnalyzer]: 'iamAccessAnalyzers',
   [services.iamGroup]: 'iamGroups',
   [services.iamOpenIdConnectProvider]: 'iamOpenIdConnectProviders',
   [services.iamPasswordPolicy]: 'iamPasswordPolicies',

src/enums/serviceMap.ts

@@ -58,6 +58,7 @@ import SES from '../services/ses'
 import SQS from '../services/sqs'
 import VPC from '../services/vpc'
 import ECR from '../services/ecr'
+import IamAccessAnalyzer from '../services/iamAccessAnalyzer'
 import IamGroup from '../services/iamGroup'
 import IamUser from '../services/iamUser'
 import IamRole from '../services/iamRole'
@@ -171,6 +172,7 @@ export default {
   [services.s3]: S3,
   [services.secretsManager]: SecretsManager,
   [services.ses]: SES,
+  [services.iamAccessAnalyzer]: IamAccessAnalyzer,
   [services.iamUser]: IamUser,
   [services.iamGroup]: IamGroup,
   [services.iamRole]: IamRole,

src/enums/services.ts

@@ -48,6 +48,7 @@ export default {
   emrCluster: 'emrCluster',
   emrInstance: 'emrInstance',
   emrStep: 'emrStep',
+  iamAccessAnalyzer: 'iamAccessAnalyzer',
   iamUser: 'iamUser',
   iamGroup: 'iamGroup',
   iamRole: 'iamRole',

src/properties/logger.ts

@@ -668,4 +668,8 @@ export default {
    * Configuration Recorder Status
    */
    fetchedConfigurationRecorderStatus: (num: number): string => `Fetched ${num} Configuration Recorder Status`,
+  /**
+   * Access Analyzers
+   */
+  fetchedaccessAnalyzers: (num: number): string => `Found ${num} Access Analyzers`,
 }

src/services/account/schema.graphql

@@ -49,6 +49,7 @@ type awsAccount implements awsOptionalService @key(fields: "id") {
   glueJobs: [awsGlueJob]
   glueRegistries: [awsGlueRegistry]
   guardDutyDetectors: [awsGuardDutyDetector]
+  iamAccessAnalyzers: [awsIamAccessAnalyzer]
   iamGroups: [awsIamGroup]
   iamOpenIdConnectProviders: [awsIamOpenIdConnectProvider]
   iamPasswordPolicies: [awsIamPasswordPolicy]

src/services/iamAccessAnalyzer/data.ts

@@ -0,0 +1,125 @@
+import CloudGraph from '@cloudgraph/sdk'
+import groupBy from 'lodash/groupBy'
+import isEmpty from 'lodash/isEmpty'
+import AccessAnalyzer, {
+  ListAnalyzersRequest,
+  ListAnalyzersResponse,
+  AnalyzerSummary,
+  AnalyzersList,
+} from 'aws-sdk/clients/accessanalyzer'
+
+import { Config } from 'aws-sdk/lib/config'
+import { AWSError } from 'aws-sdk/lib/error'
+import awsLoggerText from '../../properties/logger'
+import { initTestEndpoint } from '../../utils'
+import AwsErrorLog from '../../utils/errorLog'
+import { TagMap } from '../../types'
+
+const lt = { ...awsLoggerText }
+const { logger } = CloudGraph
+const serviceName = 'IAM Access Analyzer'
+const errorLog = new AwsErrorLog(serviceName)
+const endpoint = initTestEndpoint(serviceName)
+
+const listAnalyzersData = async ({
+  accessAnalyzer,
+  region,
+  nextToken: NextToken = '',
+}: {
+  accessAnalyzer: AccessAnalyzer
+  region: string
+  nextToken?: string
+}): Promise<(AnalyzerSummary & { region: string })[]> =>
+  new Promise<(AnalyzerSummary & { region: string })[]>(resolve => {
+    let analyzerSummarytData: (AnalyzerSummary & {
+      region: string
+    })[] = []
+
+    const analyzersList: AnalyzersList = []
+    let args: ListAnalyzersRequest = {}
+
+    if (NextToken) {
+      args = { ...args, nextToken: NextToken }
+    }
+
+    accessAnalyzer.listAnalyzers(
+      args,
+      (err: AWSError, data: ListAnalyzersResponse) => {
+        if (err) {
+          errorLog.generateAwsErrorLog({
+            functionName: 'accessAnalyzer:listAnalyzers',
+            err,
+          })
+        }
+
+        if (!isEmpty(data)) {
+          const { nextToken, analyzers: analyzersData = [] } = data
+
+          analyzersList.push(...analyzersData)
+
+          logger.debug(lt.fetchedaccessAnalyzers(analyzersList.length))
+
+          if (nextToken) {
+            listAnalyzersData({ accessAnalyzer, region, nextToken })
+          }
+
+          analyzerSummarytData = analyzersList.map(analyzer => ({
+            ...analyzer,
+            region,
+          }))
+        }
+
+        resolve(analyzerSummarytData)
+      }
+    )
+  })
+
+/**
+ * IAM Access Analyzer
+ */
+
+export interface RawAwsAnalyzerSummary extends Omit<AnalyzerSummary, 'Tags'> {
+  region: string
+  Tags?: TagMap
+}
+
+export default async ({
+  regions,
+  config,
+}: {
+  regions: string
+  config: Config
+}): Promise<{
+  [region: string]: RawAwsAnalyzerSummary[]
+}> =>
+  new Promise(async resolve => {
+    const analyzerSummaryResult: RawAwsAnalyzerSummary[] = []
+
+    const regionPromises = regions.split(',').map(region => {
+      const accessAnalyzer = new AccessAnalyzer({ ...config, region, endpoint })
+
+      return new Promise<void>(async resolveAnalyzerSummaryData => {
+        const analyzerSummaryData = await listAnalyzersData({
+          accessAnalyzer,
+          region,
+        })
+
+        if (!isEmpty(analyzerSummaryData)) {
+          for (const analyzer of analyzerSummaryData) {
+            analyzerSummaryResult.push({
+              ...analyzer,
+              region,
+              Tags: analyzer.tags || {}
+            })
+          }
+        }
+
+        resolveAnalyzerSummaryData()
+      })
+    })
+
+    await Promise.all(regionPromises)
+    errorLog.reset()
+
+    resolve(groupBy(analyzerSummaryResult, 'region'))
+  })

src/services/iamAccessAnalyzer/format.ts

@@ -0,0 +1,45 @@
+import { AwsIamAccessAnalyzer } from '../../types/generated'
+import { formatTagsFromMap } from '../../utils/format'
+
+import { RawAwsAnalyzerSummary } from './data'
+
+/**
+ * IAM Access Analyzer
+ */
+
+export default ({
+  service: rawData,
+  account,
+}: {
+  service: RawAwsAnalyzerSummary
+  account: string
+  region: string
+}): AwsIamAccessAnalyzer => {
+  const {
+    arn,
+    createdAt,
+    lastResourceAnalyzed,
+    lastResourceAnalyzedAt,
+    name,
+    status,
+    statusReason,
+    Tags: tags = {},
+    type,
+    region,
+  } = rawData
+
+  return {
+    id: arn,
+    arn,
+    accountId: account,
+    region,
+    createdAt: createdAt?.toISOString(),
+    lastResourceAnalyzed,
+    lastResourceAnalyzedAt: lastResourceAnalyzedAt?.toISOString(),
+    name,
+    status,
+    statusReasonCode: statusReason?.code || '',
+    type,
+    tags: formatTagsFromMap(tags),
+  }
+}

src/services/iamAccessAnalyzer/index.ts

@@ -0,0 +1,13 @@
+import { Service } from '@cloudgraph/sdk'
+import BaseService from '../base'
+import format from './format'
+import getData from './data'
+import mutation from './mutation'
+
+export default class IamAccessAnalyzer extends BaseService implements Service {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}